10/27/2010 



espacenet — Bibliographic data 



Verfahren zur Authentisierung einer Chipkarte innerhalb eines 
Nachrichtenubertragungs-Netzwerks 



Publication number: JP2002514024 (T) 

Publication date: 2002-05-14 

Inventor(s): 

Applicant(s): 

Classification: 

- international: G07F7/10; G09C1/00; H04L9/32; H04W12/06; G07F7/1 0; 

G09C1/00; H04L9/32; H04W12/00; (IPC1-7): G07F7/10; 
G09C1/00; H04L9/32 

- European: G07F7/10D; H04L29/06S8E; H04Q7/38A; H04W 12/06 
Application number: JP20000547592T 19990427 

Priority number(s): DE19981020422 19980507; WO1999EP02848 19990427 



Also published as: 

! DE19820422 (A1) 
|llS7080256 (B1) 
|CN1299497 (A) 
f AU3824199 (A) 
. ES2242395 (T3) 
J AT299612 (T) 
|W09957689 (A1) 
|EP1076887 (A1) 
|EP1076887 (B1) 
] HK1037415 (A1) 

« less 



Abstract not available for JP 2002514024 (T) 
Abstract of corresponding document: DE 19820422 (A1) 
The invention relates to a method for authenticating a 
chip card (SIM) in a network for transmitting 
messages, preferably in a GSM network. According 
to said method, an optionally secret algorithm and a 
secret key are stored in a chip card (SIM). In order to 
authenticate the card, the network or a network 
component first transmits a random number to the 
chip card. A reply signal is then generated in said 
chip card using the algorithm, the random number and 
the secret key, and transmitted to the network or 
network component where the authenticity of the card 
is checked. The authentication message is formed by 
dividing the secret key and the random number 
transmitted by the network into at least two parts 
each. A part of the transmitted random number and 
one or more parts of the secret key are encoded with 
a single or multi-stage, preferably symmetrical 
computation algorithm. A selected part of the product 
of the encoding procedure is transmitted to the 
network in order to issue an authentication reply. 
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(57) ABSTRACT 

The invention relates to a method for authenticating a smart 
card (SIM) in a messaging network, preferably a GSM 
network, wherein an optionally secret algorithm and a secret 
key are stored in a smart card (SIM), whereby for authen- 
tication the network or a network component first transfers 
a random number to the smart card, a response signal is 
generated in the smart card by means of the algorithm, the 
random number and the secret key, said signal being trans- 
mitted to the network or network component in order to 
check the authenticity of the card there. According to the 
invention both the secret key and the random number 
transferred by the network are split into at least two parts to 
form the authentication message, one part of the transferred 
random number and one or more parts of the secret key- 
being encrypted by means of a one- or multistep, preferably 
symmetrical calculation algorithm. To output an authentica- 
tion response, a selectable part of the encryption result is 
transferred to the network. 

10 Claims, 2 Drawing Sheets 
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METHOD FOR AUTHENTICATING A CHIP 
CARD IN A MESS AGE TRANSMISSION 
NETWORK 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

This invention relates to a method for authenticating a 
smart card in a messaging network, preferably a GSM 
network, according to the preamble of claim 1. 

2. Description of Related Art 

In GSM systems it is known that for using the smart card 
(subscriber identity module, SIM) the user must usually first 
identify himself as an authorized user by means of a personal 
identification number (PIN). In order to avoid abuse at this 
point, it is known to provide an error counter for the PIN 
entry to prevent further use of the card after a permissible 
number of failed attempts is exceeded. 

A further system-relevant security measure is to authen- 
ticate the card vis-a-vis the mobile network. A secret key : 
inaccessible from outside and an algorithm like-wise inac- 
cessible from outside arc stored in the card. For authenti- 
cation a random number is generated by the network or a 
network component and transferred to the card. The card 
then calculates from the random number and secret key by : 
means of the algorithm present in the card a response which 
it transfers to the network. This response is analyzed in the 
network and, if the result is positive, access to the network 
functions is allowed. The corresponding procedure is 
described in the relevant GSM specifications. 

A network protected as stated above involves the danger 
that attacks on the algorithm used for authentication permit 
the network to be simulated in a computer for example by 
e.g. selected "random numbers" being transmitted to the 
SIM card according to the standardized protocol and the . 
secret key of the smart card being determined therefrom, 
after several authentication attempts. If the algorithm of the 
card is additionally known, essential functional elements of 
the card can be simulated or duplicated after determination 
of the secret key. 

SUMMARY OF THE INVENTION 

II is therefore an objective of the invention to provide a 
reliable method for authenticating a smart card in a mes- . 
saging system wherein there is no acknowledgment of the 
authentication result to the subscribing smart card, as cus- 
tomary in the GSM network for example. 

Advantageous embodiments of the invention are stated in 
the dependent claims. 

The invention provides for forming the authentication 
message by forming at least two parts from both the secret 
key and the random number transferred by the network, one 
of the parts of the transferred random number and one or 
more parts of the secret key being encrypted by means of a . 
one- or multistep, preferably symmetrical calculation algo- 
rithm. To output an authentication message, a selectable part 
of the result calculated according to the authentication 
algorithm is transferred to the network. 

An advantageous embodiment of the invention provides 
for generating the channel coding key in the same way. 
There too it is provided that, if key and random number are 
split into two parts for example, either the first or the second 
part of the transferred random number is linked with the first 
and/or second part of the secret key with a one- or multistep 
algorithm in order to obtain a channel coding key. One 
preferably uses different parts of the random number 



obtained from the network for forming the authentication 
message and the channel coding key in each case. 

A further advantageous embodiment of the invention 
provides that the secret key stored in the card and the 
random number sent by the network to the card are split into 
equally long parts. This permits the same calculation algo- 
rithm to be used in both cases. The random number or secret 
key can be split by simply making a split "in the middle" or 
by creating overlapping partial areas. One can also effect a 
i split by which the sum of the individual parts is smaller than 
tire bit length of the random number or secret key. According 
to a further variant, a given number of bits of the random 
number or secret key can be combined into a key or random 
number part according to a predetermined pattern or pseu- 
dorandomly. 

As a further advantageous embodiment of the invention, 
one can use DES algorithms as calculation algorithms for 
authentication and for channel coding. 

Another advantageous variant of the invention provides 
1 for using the preferably one-step IDEA algorithm for cal- 
culating the authentication parameters and channel coding 
keys. 

Alternatively, one can calculate the authentication param- 
eters and channel coding keys using compression algo- 
rithms, preferably cryptographic compression algorithms 
whose output values have a smaller length than the input 
parameters. 

To increase security it is advantageous to use an at least 
two-step calculation algorithm, whereby a triple DES algo- 
1 rithm proves especially safe. With this algorithm one first 
encrypts with a first part of the key and a part of the random 
number, then performs decryption of the result with the 
second part of the key, and finally executes a further 
calculation with the first part of the key again. For the last 
encryption with the first part of the key one can advanta- 
geously use a new, third key, in particular if the key is split 
into three key parts. 

A further advantageous embodiment of the invention 
results if the selection of the first or second part of the 
random number is effected alternatingly for authentication 
and calculation of the channel coding, this alternation being 
executed randomly or pseudorandomly and the selection 
being effected in the same way in the card and the network. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention will be described more closely in the 
following with reference to FIGS. 1 to 3. 
, FIG. 1 shows the sequence of cryptographic functions of 
the SIM in the GSM network. 

FIG. 2 shows a block diagram of triple DES encryption. 

FIG. 3 show s examples of the split of the secret key and 
random number. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

The sequence shown in FIG. 1 assumes that the custom- 
i ary, preceding process of PIN verification has been com- 
pleted. Subsequently, the mobile unit in which card SIM is 
located sends to the network a message which contains IMSI 
(international mobile subscriber identity) information or 
TMSI (temporary mobile subscriber identity) information. 
Secret key K, is determined from the IMSI or TMSI in the 
network according to a given function or by means of a 
table. The same key is also stored in smart card SIM in an 
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inaccessible memory space. The secret key is required for 
later verification of the authentication process. 

The network then initiates the authentication process by 
calculating random number RAND and transferring it via 
the air interface to smart card SIM. 5 

Authentication parameter SRES is thereupon formed in 
the smart card by means of an authentication algorithm from 
secret key K, and random number RAND, said parameter 
being in turn transferred via the air interface to the network. 
According to the invention, at least two random numbers id 
RANDj and RAND 2 are derived from random number 
RAND. Random numbers RAND t and RAND 2 can be 
obtained by division or a selection from random number 
RAND or by a calculation algorithm. 

Authentication is effected with a two-step algorithm in the 15 
example according to FIG. 1. First, as indicated in FIG. 1, 
first part RANDj of the random number is encrypted with 
first part Kj of key K, likewise split into two parts. The result 
of said first step is subsequently encrypted in a second step 
with second part K 2 of the key. For calculation with the 20 
authentication algorithm one can of course also use second 
part RAND, of the random number first and change the 
order of using first and second key parts Kj and K 2 . 

Authentication parameter SRES' is meanwhile likewise 
formed in the network in the same way as in the card by 25 
means of the authentication algorithm and random number 
RAND (RAND |, RAND J and secret key Ki (K,, KJ. 
Parameter SRES' is then compared in the network with 
authentication parameter SRES obtained from the card. If 
authentication parameters SRES' and SRES match, the 30 
authentication process is completed successfully. If the 
authentication parameters do not match, the subscriber's 
card is regarded as unauthenticated. It should be noted here 
that one can also form SRES or SRES' using only parts of 
the result obtained by the encryption. 35 

In the same way as the authentication parameters are 
generated, key Kc for channel coding for data and speech 
transmission is generated in the card and the network. One 
preferably uses as the input parameter the part of random 
number RAND not used in authentication. 40 

FIG. 2 shows an advantageous example by which calcu- 
lation with the authentication algorithm and'or channel 
coding is executed by a triple DES algorithm. According to 
this algorithm, part RANDj or RAND 2 of the random 
number is first encrypted with first key part K l . In the next 45 
step decryption is effected with K 2 . The result is then 
encrypted with K t again or, if the random number/key is 
split into a plurality of parts, with a third part of the key. The 
channel coding is formed in the same way. The correspond- 
ing algorithms are used in the network in each case. 50 

Without restricting universality, the description of the 
examples according to FIGS. 1 and 2 assumed a two- or 
three-step, symmetrical encryption algorithm. The inventive 
idea, which consists of splitting the random number and 
secret key, can of course also be executed with other, 55 
common encryption or calculation algorithms. By way of 
example, mention is made of not only the DES algorithms 
(A3; A8) but also IDEA. The stated algorithms can also be 
executed in one step, whereby different parts of the key 
and/or random number are preferably generated for authen- 60 
tication and generation of channel coding key Kc. 

FIGS. 3a to e give examples of ways of splitting secret 
key K ; or random number RAND. 

FIG. 3a shows key K, or random number RAND with a 
length of 128 bits. 
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FIG. 3b shows a split into two equal parts K t and K 2 
(RAND x , RAND 2 ), the split being made in the middle. Part 
1 contains bit 1 to bit 64, part 2 contains bit 65 to bit 128. 
FIG. 3c shows an overlapping split, and FIG. 3d shows a 
split by which the odd bits are assigned to part 1 and the even 
bits to part 2. FIG. 3e finally shows a split by which the sum 
of the bit positions of parts 1 and 2 is smaller than the bit 
positions of the initial key or random number. 
The invention claimed is: 

1. A method for authenticating a smart card (SIM) in a 
messaging network, wherein an algorithm and a secret key 
are stored in a smart card (SIM), whereby for authentication 

the network or a network component first transfers a 

random number (RAND) to the smart card, 
a response signal (SRES) is generated therefrom in the 
smart card by means of the algorithm and the secret key 
(KJ and transmitted to the network or network com- 
ponent, characterized in that 
to form the response signal (SRES) the secret key (KJ and 
the random number (RAND) are each split into at least 
two parts (K 1; K 2 ; RAND 1; RAND 2 ), 
one of the parts (RAND 1; RAND 2 ) of the transferred 
random number (RAND) is encrypted with the aid of 
one or more parts (K 1; K 2 ) of the secret key (KJ by- 
means of a one- or multistep algorithm. 

2. A method according to claim 1, characterized in that a 
given number of bits is selected from the encryption result 
and transferred as a signal response (SRES) to the network. 

3. A method according to claim 1, characterized in that a 
part of the transferred random number (RAND) and one or 
more parts of the secret key (KJ are used to calculate a 
channel coding key (KJ by means of a one- or multistep 
algorithm, at least one part of the calculation result being 
used as the channel coding key (KJ. 

4. A method according to claim 1, characterized in that the 
key (KJ and the random number (RAND) are split into two 
equally long parts (K 1; K^RAND^ RAND 2 ). 

5. A method according to claim 1, characterized in that 
DES algorithms are used to calculate at least one of the 
authentication parameters (SRES, SRES') and the channel 
coding key (KJ. 

6. A method according to claim 1, characterized in that an 
IDEA algorithm is used to calculate the authentication 
parameters (SRES, SRES') and the channel coding key (KJ. 

7. A method according to claim 1, characterized in that a 
compression algorithm whose output value has a smaller 
length than the input parameter is used to calculate the 
authentication parameters (SRES, SRES') and the channel 
coding key (KJ. 

8 . A method according to claim 7, characterized in that the 
calculation of the authentication parameters is effected in an 
at least two-step algorithm. 

9. A method according to claim 1, characterized in that a 
triple DES algorithm is used as an encryption algorithm, 
whereby one first encrypts with the first part (KJ of the key 
(KJ, then decrypts with the second part (K 2 ) of the key (K,) 
and thereupon encrypts again with the first part (Kl) or a 
third part of the key (KJ, by means of a one- or multistep 
algorithm. 

10. A method according to claim 1, characterized in that 
a selection of the first or second part of the random number 
(RAND) is effected in the same way in the card and the 
network in random or pseudorandom alternation. 



